Privacy and hunt for the code
The DNA technology (use and application) regulation bill and the personal data protection bill are under consideration by two separate parliamentary committees. It is necessary to discuss the nature of DNA information and to review these bills together to explore whether sufficient privacy protection has been extended to DNA information.
DNA samples are a potential source of human genetic information and can reveal sensitive health information. DNA information can also be used to trace familial linkages and have repercussions on other family members that are intergenerational and lead to the profiling of an entire community/ethnic group/caste/tribe or race. Unauthorized disclosure could lead to genetic profiling and other forms of profiling, leading to discrimination that can undermine the dignity and the privacy of the person concerned and cause grave violations of group rights. Profiling of religious, ethnic or linguistic minorities has in many jurisdictions led to their persecution.
It was precisely for this reason that the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 was notified under the Information Technology Act, 2000. It referred explicitly to DNA in the definition of biometric information. Additional privacy safeguards were provided for such sensitive personal information. However, in the PDP bill, there is no explicit mention of DNA information even though any logical interpretation of ‘biometric information’ and ‘genetic information’ would require the inclusion of DNA. Such a reference to DNA information within the definitions of biometric and genetic information would obviate the possibility of illogical interpretations.
In 2017, the Supreme Court recognized the right to privacy as a fundamental right. This implies the prohibition of indiscriminate collection and unnecessary use of DNA information. DNA collection should only be mandated through a strictly consensual procedure, ensuring prior informed written consent in civil matters. In criminal investigations and trials, DNA should also be obtained consensually. In the case of arrested persons, an order by the judicial magistrate would be necessary. While obtaining the order from the judicial magistrate, it should be mentioned that the burden of proof is on the investigating officer to demonstrate how the collection of and access to DNA samples are necessary for the investigation. Furthermore, persons have to be informed in their own language while explaining the implications of DNA sharing on privacy and constitutional rights, when and for what purpose their DNA information has been shared, and when can they seek deletion of their DNA profile from the databank.
None of these privacy guarantees features in the DNA bill at present. It creates two categories of people. There is no requirement for obtaining consent of those arrested for offences punishable with death or by imprisonment of more than seven years. The second category constitutes those arrested for offences punishable with a lesser penalty. Procedurally, written consent is required for the second category, but if it is not given, it can be mandated through the order of a magistrate. The DNA bill falters on endorsing voluntary consent by opting for procedures such as consent given in writing on the order of the magistrate instead of advocating for prior informed consent. Involuntary consent, tantamount to coerced consent, seems to be integral to the DNA bill, whereas the PDP bill provides that consent necessary for processing personal data be ‘informed, free, specific, clear and capable of being withdrawn’. The DNA bill thus needs to replicate the consent provision in the PDP bill along with a provision to ensure that the person from whom bodily substance is taken for DNA testing is given the ‘right to be heard’ by a magistrate.
Profiles in the DNA databank are categorized into five indices — crime scene; suspects/undertrials; offenders; missing persons; and unknown deceased person. This ensures that searches for DNA profile match may be performed across all indices as all of them are maintained together in a single DNA databank. ‘Suspects’ are not defined under Indian law, leaving the investigating officer with complete discretion to define a ‘suspect’. It is unclear whose DNA profile will be uploaded in the ‘suspects and undertrials’ index, thus allowing the kind of searches that will lead to violations of privacy. Criminal and civil DNA databanks should also be segregated.
Significantly, the proposed Data Protection Authority of India may approve any code of practice submitted by the sectoral regulator in the interest of the data principal. Therefore, the present state of the DNA bill demands a change through the incorporation of transparency and accountability measures within the DNA regulatory architecture.
The DNA bill and the PDP bill have to be read concomitantly and harmonized in a manner which would ensure robust and effective privacy protection for DNA information.